amass

Enumerate subdomains passively

$ amass enum -passive -d [example.com]

$ amass enum -active -d [example.com]

$ amass enum -d [example.com] -o [output.txt]

$ amass enum -d [example.com] -src -ip

amass command [options]

amass is an OWASP project for in-depth attack surface mapping and asset discovery. It performs DNS enumeration, subdomain brute-forcing, and leverages numerous data sources including search engines, certificate transparency logs, and APIs.
The tool builds a comprehensive map of an organization's external network footprint, identifying subdomains, related domains, and network blocks.

enum

Perform enumeration and network mapping

Collect intelligence on target organization

Track changes to discovered infrastructure

Manage the graph database

Visualize collected data

Target domain

Only use passive data sources (no DNS queries)

Use active methods including DNS brute-forcing

Show IP addresses of discovered names

Show source of each discovered name

Enable subdomain brute-forcing

Output file path

Directory for output files

Configuration file

~/.config/amass/config.ini

Main configuration file for data sources, API keys, and enumeration settings.

Active enumeration generates significant DNS traffic and may be detected. Many data sources require API keys for full access. Results vary based on configured sources.

amass was created by Jeff Foley and became an official OWASP project. It gained widespread adoption in the security community for reconnaissance and bug bounty hunting.

subfinder(1), dnsenum(1), nmap(1)